francoismichel
Proper security statements in README
This PR proposes adding more measured language around SSH3's current security status. Making absolute security claims about an early prototype could be misleading without extensive analysis and review over time.
To build community trust and encourage assistance accelerating SSH3's secure development, I've updated the messaging to:
- Note SSH3 is still an experimental proof-of-concept
- Advise against public Internet exposure in present form
- Explicitly state that expert cryptographic review is still needed
- Call for collaboration to advance the protocol responsibly
I believe positioning SSH3's security more conservatively for now is prudent. It still shows intriguing promise improving on SSH2, but overstating protections too early can risk credibility and user security if vulnerabilities emerge later.
By being upfront about limitations and the need for review, my aim is to facilitate open community engagement accelerating SSH3 towards safe production readiness. I welcome any feedback, and hope these README updates might encourage capable security researchers to help validate and strengthen SSH3 moving forward!
I would also like to refer Issue #57 in the README, by stating that if one has security questions, there is an open discussions with some answers there. Would you like to add that as well ?
@francoismichel I agree, all your wording suggestions look better. I've committed these changes and credited you as the author. Shall we address the security questions in a separate pull request? I believe it would be worthwhile to add some information to the SECURITY.md file in the repository.
Can we proceed with the changes proposed in this PR and comments? I feel this would add to the README and as such is good to merge sometime soon :)
Updated the code, please recheck if all proposed changes done right and the merge is correct.